Features —

The enemy adapts: the state of spam, malware, and phishing scams

As users and security companies adapt to common malware attack vectors, …

Web 2.0 under attack: trolling the online community for personal data

As the general public becomes more aware about security measures and practicing skeptical computing, the bad guys are becoming increasingly creative about whom they attack. A new approach has been to infiltrate the growing number of "community" web sites, such as MySpace. People put all kinds of personal information on these social sites, and hackers are already busy mining that data. People are much more amenable to the idea of interacting with a "web friend" than with a complete stranger, so new scripts have been created that attempt to mimic a real person. Often the bot will create a profile of an attractive woman who wants to send the hapless user an "animated greeting card," which ends up being a trojan. Other bots ask users for all kinds of personal information.

Not only the users, but the sites themselves have come under attack. With the rush to add more whizzy features to Web 2.0 sites, security is often given only a brief consideration. MySpace suffered an embarrassing attack last July when hackers inserted images exploiting a .WMF hole into banner ads. Studies by security analysts have shown that most Web 2.0 code and AJAX toolkits don't protect servers and their users from JavaScript vulnerabilities.

These community web sites are not the only places where people congregate, however. People are spending an increasing amount of time on multiplayer online games, such as Blizzard's wildly popular World of Warcraft, which was recently estimated to have over seven million subscribers worldwide. Despite Blizzard's attempts to ban people who sell online gold, players still find their chat boxes and in-game e-mail accounts flush with gold farming spam. A game that was intended to be an escape from the real world has wound up mimicking it.

These aren't the worst types of attacks, however. Hackers have created keyloggers and sniffers that attempt to grab people's World of Warcraft account passwords, often hiding them in seemingly legitimate game extensions. What do the bad guys want with online game accounts? It's not because they want to play. Instead, they will log on to the person's account and mail all their gold and non-bound items to one of the hacker's accounts, disenchanting the character's equipment into valuable shards if possible. The hacker then sells the resulting gold to a gold farmer. Not only is this easy cash, but it is also a nearly untraceable method of money laundering.

Conclusions

Viruses and other malware have been around for a long time, and despite massive efforts by individuals and organizations to fight it, it does not seem to be going away. However, the nature of malware has changed over the years. In the beginning, much of it was created by malcontent individuals who merely wished to break a few rules and cause some havoc. These days, however, the motivation is primarily financial. With the rise of Internet banking and money transaction sites such as PayPal, there is real money to be made with phishing scams.

The good news is that people are becoming more and more aware of these scams, and technological solutions such as phishing filters are becoming more and more standard with new web browsers and operating systems. Of course, history teaches us that technological solutions are not enough: as they did with anti-virus software before, hackers will find ways around phishing filters. The only real solution is a combination of technology and user education.

One bright spot is that the percentage of the general public that is directly harmed by phishing and malware remains relatively low. It has been estimated that over a million computers have been turned into zombies as part of botnets, but this represents only about a tenth of one percent of all computers in the world. As more people upgrade their computers to models with newer, more secure operating systems, the hackers are being forced to get more out of each machine in a botnet.

The bad guys, however, are not standing still. With every move made to combat malware, the hackers are finding new avenues to attack. Like cockroaches, malware authors will never go away. However, this doesn't mean we have to live in the digital equivalent of cockroach-infested homes. Filtering solutions for ISPs are part of the answer. The other part is on the user's end: better software and a more skeptical approach to e-mail and web-based scams.